-=[!]=-

2013-03-19

We get a PNG image that's all black. Looking at the structure there doesn't appear to be any other data, only a single IDAT chunk with deflated image bytes. Decompressing the data we can see a lot of runs with NULL bytes. So this is likely to be an image very limited in color, perhaps all black. After some trial and error we can "highlight" actual content by changing the gamma of the PNG, either via CLI or in Gimp using "Color" -> "Auto" -> "Normalize". This results in an image of a QR-Code that decodes to a URL.

So, we can see that there's some structure to the decoded data blob, but it seems to be non-sense except for the header part, which may contain "encoded" ASCII characters. We could try and guess the file format and at least attempt basic XOR decryption with common magic values as the key in order to get the real key. Another approach is to assume that the header will contain runs of NULL bytes in which case in simple XOR the key will be as plain-text.

In the end it turned out to be a JPEG image XOR encrypted using the "fbbits" key. The image contains the flag in form of a hash string overlayed in red on top of the image. Also, notice that the "fbbits" key was in fact present in the data blob where the real JPEG had a run of NULL bytes at offset 0xC0, which is part of Huffman table.

2013-03-11

We get credentials to a SSH server which has two files in the home directory once logged in. One is the challenge binary and the other is a Linux kernel image, both are 64-bit. Running the binary we get a password prompt and no matter what is entered is incorrect.$ ./crackmePassword: qwertyYou loose :(

After downloading the binary and looking at the assembly it quickly becomes obvious that static analysis won't work. The "main()" function contains what appears to be garbage code and the ELF header has some unknown flags set. Also, running the binary on anything other than their server causes a segfault, since instructions make no sense.

Initially, I tried dumping the memory from the binary on their server but without much success as the server was constantly dropping connections and it was nearly impossible to get anything done remotely. Later they removed GDB stating it was causing resource exhaustion problems. Considering that they also supplied a kernel image it would make sense to assume that the execution of certain files has to go through a decryption routine, similar to how iPhone executes encrypted apps. In the iPhone apps case the entire ".text" section is encrypted and the decryption key is within a kernel module. Thus, the idea is to analyze the supplied kernel image and identify where decryption occurs.

Poking around the kernel initially did not yield anything useful. Looking at the normal process execution sequence via the "execve()" call and following the entire procedure from start to finish did not yield anything that may indicate handling encryption. The typical sequence is for the correct system call stub to be called, which then goes into "sys_execve()" and onto "do_execve()" where the bulk of the logic is located. Nothing related to encryption stood out.

There's also functionality for handling various binary formats during process loading as well as the default ELF handling functions. The major one to parse the binary is the "load_elf_binary()" function. The function itself is a bit large, but not too complex and having a copy of the source code allows to go through it quicker and make sense of the structure parsing code.

Eventually, at very end of the function there's a rather peculiar code which first initializes a stack buffer with 35 constant values and then in a loop XORs a previously allocated buffer.

.text:FFFFFFFF8117A39C mov byte ptr [rbp+var_53], 12h

.text:FFFFFFFF8117A3A0 mov byte ptr [rbp+var_53+1], 43h ; 'C'

.text:FFFFFFFF8117A3A4 mov byte ptr [rbp+var_53+2], 34h ; '4'

.text:FFFFFFFF8117A3A8 mov byte ptr [rbp+var_53+3], 65h ; 'e'

.text:FFFFFFFF8117A3AC mov rax, rsi

.text:FFFFFFFF8117A3AF mov byte ptr [rbp+var_53+4], 78h ; 'x'

.text:FFFFFFFF8117A3B3 mov byte ptr [rbp+var_53+5], 0CFh ; '-'

.text:FFFFFFFF8117A3B7 sub rax, rdx

.text:FFFFFFFF8117A3BA mov byte ptr [rbp+var_53+6], 0DCh ; '_'

.text:FFFFFFFF8117A3BE mov byte ptr [rbp+var_53+7], 0CAh ; '-'

.text:FFFFFFFF8117A3C2 mov byte ptr [rbp+var_4B], 98h ; 'ÿ'

.text:FFFFFFFF8117A3C6 mov byte ptr [rbp+var_4B+1], 90h ; 'É'

.text:FFFFFFFF8117A3CA sub rcx, rax

.text:FFFFFFFF8117A3CD mov byte ptr [rbp+var_4B+2], 65h ; 'e'

.text:FFFFFFFF8117A3D1 mov byte ptr [rbp+var_4B+3], 31h ; '1'

.text:FFFFFFFF8117A3D5 xor edx, edx ; cnt = 0

.text:FFFFFFFF8117A3D7 mov byte ptr [rbp+var_4B+4], 21h ; '!'

.text:FFFFFFFF8117A3DB mov byte ptr [rbp+var_4B+5], 56h ; 'V'

.text:FFFFFFFF8117A3DF xor eax, eax

.text:FFFFFFFF8117A3E1 mov byte ptr [rbp+var_4B+6], 83h ; 'â'

.text:FFFFFFFF8117A3E5 mov byte ptr [rbp+var_4B+7], 0FAh ; '·'

.text:FFFFFFFF8117A3E9 mov [rbp+var_43], 0CDh ; '-'

.text:FFFFFFFF8117A3ED mov [rbp+var_42], 30h ; '0'

.text:FFFFFFFF8117A3F1 mov [rbp+var_41], 0FDh ; '²'

.text:FFFFFFFF8117A3F5 mov [rbp+var_40], 12h

.text:FFFFFFFF8117A3F9 mov [rbp+var_3F], 84h ; 'ä'

.text:FFFFFFFF8117A3FD mov [rbp+var_3E], 98h ; 'ÿ'

.text:FFFFFFFF8117A401 mov [rbp+var_3D], 0B7h ; '+'

.text:FFFFFFFF8117A405 mov [rbp+var_3C], 54h ; 'T'

.text:FFFFFFFF8117A409 mov [rbp+var_3B], 0A5h ; 'Ñ'

.text:FFFFFFFF8117A40D mov [rbp+var_3A], 62h ; 'b'

.text:FFFFFFFF8117A411 mov [rbp+var_39], 61h ; 'a'

.text:FFFFFFFF8117A415 mov [rbp+var_38], 0F9h ; '·'

.text:FFFFFFFF8117A419 mov [rbp+var_37], 0E3h ; 'p'

.text:FFFFFFFF8117A41D mov [rbp+var_36], 9

.text:FFFFFFFF8117A421 mov [rbp+var_35], 0C8h ; '+'

.text:FFFFFFFF8117A425 mov [rbp+var_34], 94h ; 'ö'

.text:FFFFFFFF8117A429 mov [rbp+var_33], 12h

.text:FFFFFFFF8117A42D mov [rbp+var_32], 0E6h ; 'µ'

.text:FFFFFFFF8117A431 mov [rbp+var_31], 87h ; 'ç'

Converting this code to Python and applying it to the extracted ".text" section from the binary we get the "executable" code section. Simply replacing the original section with the new one allows us to run the binary offline. However, we still get the same "Password" prompt and have to figure out the correct input to get the key.

The logic of the binary is to read a stream of bytes from STDIN, check for specific characters and either increment or decrement two variables depending on the characters used. Next, the variables are used as offsets into an array of ones and zeros and when the value of "1" is indexed into the process will exit with failure. Thus, the solution is to construct the correct character sequence that results in proper indexing without hitting a "1" and the length of input must be 80 characters.

The array represents a 15x15 matrix which is a maze that has a single solution. In this case it was easier to just print out the maze and apply the character sequences (w, s, a, d) which represent direction (up, down, left, and right) without coding a maze solver. Start from top-left and finish at the bottom-right.

2011-04-09

The provided binary is a ELF file designed to be run by inetd and accepts several character based commands followed by their parameters. The main loop reads a character from STDIN (in inetd a socket is duplicated into standard I/O descriptors) and based on the value picks a handler from an array of function pointers. The following commands exist:

'f' - return meta data for a given file name

'l' - list filenames from the home directory

'q' - terminate the process

's' - return symbolic link's path name

'v' - verify input with a key file's data

After mapping out all the available handlers and reviewing how they work there were no obvious vulnerabilities (e.g. buffer overflow). The handler functions that expect additional input first allocate some heap-based memory to store this input and care is taken to make sure it's not overflowed. After the handler completes its work the memory is freed. However, there's a design flaw in the way allocated memory is used when the key text is verified. Specifically, the key data is read into a allocated buffer and compared to the string supplied by a user. Once this is done the memory is simply freed, which returns the memory block to the free pool still containing the key data.

As a result, we can use another handler, which allocates memory for its operation and returns the results to the user. One such command is the 's' character, which accepts a symbolic link as a parameter. Additionally, after listing the contents of the home directory using the 'l' command we find few symbolic links that can be used for the 's' command. Thus, when requesting to view a symbolic link the real path will be copied to a allocated buffer. Since the buffer will come from the free pool and the contents were not cleared then whatever data was there will also be displayed. If the resulting path is shorter in length than the data size of the "KeyFile" we can disclose part of the secret key string.

Looking at the handler for the 'v' command it was identified that a string comparison is performed only on the last 14 bytes of the key file. This tells us how much of the disclosed key file's data we need to grab. Thus, to reproduce we need to submit the 'v' command with any key, which stores the key data into a buffer, but does not clear it after the comparison. Then, submit the 's' command to display the path of the "t1" link, which is short enough to disclose more than 14 bytes of the key file. Finally, take the last 14 bytes and submit them via the 'v' command again and this time the comparison succeeds and gives us the solution key.

2011-03-07

The binary is a Browser Helper Object (BHO) DLL with a static XOR key "securecodegate", which is used to decrypt few arrays with statically assigned characters to each index. The "sub_1000233E" function is called with the array and a XOR key as input to perform the decryption. This occurs three times within a handler function "sub_1000270A".

The first two calls are irrelevant as they result in decryption of "google_ads_frame" (key "secure") and "client" (key "code"). However, the third call produces the answer string using the "gate" key.

This was identified by looking for various interesting strings in the binary and locating their use references. The XOR decryption routine is fairly simple and can be performed via a IDC script.

We used a lazy/simple option. Register the DLL ("regsvr32 b300.dll"). Launch Internet Explorer, attach a debugger, locate the handler function ("sub_1000270A"). Modify EIP to jump to the buffer initialization sequence, which is right before the decryption function call (e.g. @ 0x10002C96 for the "gate" key).

The binary is a console based PE file. Running the file produces no output due to a certain routine terminating the process before the "main()" function starts. Looking around the code the "sub_401130" function stands out due to initialization of a local array with various bytes. At the end of this function a decryption routine is called ("sub_401070") with the array as input. The decryption loop performs an XOR operation using the string's length as the key.

To obtain the answer a breakpoint was placed @ 0x00401494, which calls the "ExitProcess()" library function prior to "main()". Next, modify EIP to point to the start of the array initialization routine and execute until the decryption function is called. Let it do its XOR job and look at a local buffer once complete to get the answer string.

we are investigating the military secret's leaking. we found traffic with leaking secrets while monitoring the network. Security team was sent to investigate, immediately. But, there was no one present. It was found by forensics team that all the leaked secrets were completely deleted by wiping tool. And the team has found a leaked trace using potable device. Before long, the suspect was detained. But he denies allegations.

Now, the investigation is focused on potable device. The given files are acquired registry files from system. The estimated time of the incident is Mon, 21 February 2011 15:24:28(KST). Find a trace of portable device used for the incident.

The enumeration shows all of the USB devices ever connected to the system. The registry last modified times are written the first time the device is connected, but are not updated when a device is subsequently connected.

Running a timeline on the registry (via "regripper"), we see that only one USB device is connected on Feb 21:

From there, we know that the suspect device vendor is "CORSAIR" and the serial number of the device is "DDF08FB7A86075". Inspection of this registry path reveals that the default name of the device has been changed. The registry key "FriendlyName" has a value of "PR0N33R", which is the displayed volume name when the device is connected.

This data is related to any attack.
calculate the md5sum of the intended file.

(calc md5 uppercase)

The provided binary is a PCAP file containing bunch of HTTP traffic and some SMB chatter. The question mentions an attack. Since it's heavy on HTTP usage then it made sense to get a list of all requests. Two strange requests stand out:

GET /H1A1.html HTTP/1.1 GET /H1A1.exe HTTP/1.1

Carving out (using Wireshark's "Follow TCP Stream" -> "Save As") the "H1A1.exe" response and removing the HTTP response header we end up with a regular PE file. Next, calculate its MD5 checksum and convert to upper case.